Openldap配置TLS加密传输(完整版——手动配置)

首先要实现openLDAP的编译安装以及配置

          openLDAP的编译安装以及配置

           注意:上篇中的  3. 主配置文件slapd.conf  中  信息如下所示:               

#修改域名及管理员账户名;    
suffix        "dc=mirage,dc=com"
rootdn        "cn=AuthUsers,dc=mirage,dc=com"

为啥要用TLS?

Openldap默认使用简单验证,对slapd的所有访问都使用明文密码通过未加密通道进行。为了确保信息安全,需要对信息进行加密传输,SSL(Secure Sockets Layer)是一个可靠的解决方案。

它使用 X.509 证书,由可信任第三方(Certificate Authority (CA))进行数字签名的一个标准格式的数据。有效的数字签名意味着已签名的数据没有被篡改。如果签名的数据被更改,将不会通过验证

SSL/TLS 加密原理简介

SSL/TLS 是基于 PKI 机制的加密方式,包括证书认证、密钥交换、非对称加密、对称加密。SSL/TLS 采用 CA 作为服务端和客户端都信赖的具有权威性的组织,证书的颁发和认证都依赖于 CA,并假定 CA 颁发的证书是可靠的、可信赖的,证书里面的内容是真实的、有效的,并可用于客户机和服务器进行安全的可靠的通信加密。

SSL/TLS 证书用来认证服务器和客户机双方的身份,并用于密钥交换时候的非对称加密。密钥交换完毕之后,就可以用这个密钥做通信数据的对称加密了,具体的加密算法是由客户机和服务器互相协商得来。服务器和客户机由于 SSL/TLS 库的不同以及用户的配置不同,双方支持的算法列表不完全相同,当双方做 SSL/TLS 握手的时候,就需要将自己支持的算法列表及优先顺序告知对方,一旦对方按照优先顺序找到了第一个支持的算法,那么协商完成,否则双方协商失败,SSL/TLS 连接断开。

环境说明:

主机名

角色

IP地址

ldapsrv02.contoso.com

openldap server

192.168.49.139

ldapclient.contoso.com

openldap client + CA

192.168.49.136

ldapsrv02是新添加的一台CentOS 6.5,这里直接使用之前的openldap的安装脚本进行安装,里面并未有任何数据,是一个空的域(域名也是contoso.com,为之后做双机同步做准备)。

真实配置如下

主机名

角色

IP地址

192.168.1.93(暂用ip地址)

openldap server

192.168.1.93

192.168.1.22(暂用ip地址)

openldap client + CA

192.168.1.22

注意:

[root@ldapclient ~] 都是在ip192.168.1.22的机器上的操作(client

[root@ldapsrv02 ~] 都是在ip192.168.1.93的机器上的操作(server)

[email protected]:/root   都需要改为192.168.1.22

[email protected]:/root   都需要改为192.168.1.93

在本次操作中。CA为独立的服务器,则需要将用户的证书颁发请求通过ssh传至CA服务端中,当服务端完成签发后,再通过ssh将用户证书文件传送给客户端即可。

OpenLDAP服务端 也作为CA,所以不需要通过SSH进行传输数据。在生产环境中部署时不建议二者混合使用,而推荐采用独立的服务器作为CA

 

准备工作:

在两台CentOS上安装openssl.(这个是必须的)

yum -y install openssl

[root@ldapclient ~]# rpm -qa openssl

openssl-1.0.1e-15.el6.x86_64

[root@ldapsrv02 ~]# rpm -qa openssl

openssl-1.0.1e-15.el6.x86_64

一、建立CA中心

1)配置CA签发信息

以下是在client端的操作,(可以先跳过这里):

这里填写的信息 要记住,要与后边CA服务器生成公钥填写的信息一致

cd /etc/pki/CA/

touch index.txt

echo 01 >serial

cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.bak$(date +%F)

vi /etc/pki/tls/openssl.cnf

[root@ldapclient CA]# diff /etc/pki/tls/openssl.cnf.bak2016-09-18 /etc/pki/tls/openssl.cnf

50c50

< certificate = $dir/cacert.pem # The CA certificate

---

> certificate = $dir/CA.crt     # The CA certificate

55c55

< private_key = $dir/private/cakey.pem# The private key

---

> private_key = $dir/private/CA.key   # The private key

130c130

< countryName_default = XX

---

> countryName_default = CN

135c135

< #stateOrProvinceName_default = Default Province

---

> stateOrProvinceName_default = Guangdong

138c138

< localityName_default = Default City

---

> localityName_default = Shenzhen

141c141

< 0.organizationName_default = Default Company Ltd

---

> 0.organizationName_default = contoso

148c148

< #organizationalUnitName_default =

---

> organizationalUnitName_default = Tech

2)CA服务器生成自己的私钥

[root@ldapclient CA]# (umask 077;openssl genrsa -out private/CA.key)

Generating RSA private key, 1024 bit long modulus

...............++++++

..........++++++

e is 65537 (0x10001)

3)CA服务器生成公钥(CA证书)

真实配置如下

Country Name (2 letter code) [CN]:

CN

State or Province Name (full name) [Guangdong]:

ShangHai

Locality Name (eg, city) [Shenzhen]:

ShangHai

Organization Name (eg, company) [contoso]:

IT

Organizational Unit Name (eg, section) [Tech]:

IT

Common Name (eg, your name or your server's hostname) []:

192.168.1.22

Email Address []:

[email protected]

 

[root@ldapclient CA]# openssl req -new -x509 -key private/CA.key >CA.crt

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Guangdong]:

Locality Name (eg, city) [Shenzhen]:

Organization Name (eg, company) [contoso]:

Organizational Unit Name (eg, section) [Tech]:

Common Name (eg, your name or your server's hostname) []:ca.contoso.com

Email Address []:[email protected]

二、openldap server生成私钥及证书请求文件

1)ldapsrv02生成自己的私钥

[root@ldapsrv02 ~]# openssl genrsa -out ldapsrv02.key

Generating RSA private key, 1024 bit long modulus

...........................++++++

.....++++++

e is 65537 (0x10001)

2)ldapsrv02生成证书请求文件

真实配置如下

Country Name (2 letter code) [CN]:

CN

State or Province Name (full name) [Guangdong]:

ShangHai

Locality Name (eg, city) [Shenzhen]:

ShangHai

Organization Name (eg, company) [contoso]:

IT

Organizational Unit Name (eg, section) [Tech]:

IT

Common Name (eg, your name or your server's hostname) []:

192.168.1.93

Email Address []:

[email protected]

 

注意:

 在OpenLDAP服务器向CA申请证书签署请求,时候。除了Common NameEmail Address 以外,以上所有值必须和CA证书所填写的信息保持一致,否则无法得到验证。

[root@ldapsrv02 ~]# openssl req -new -key ldapsrv02.key -out ldapsrv02.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Guangdong  

Locality Name (eg, city) [Default City]:Shenzhen

Organization Name (eg, company) [Default Company Ltd]:contoso

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:ldapsrv02.contoso.com

Email Address []:[email protected]

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:123456

三、CA服务器向openldap server签发证书

1)ldapsrv02向CA请求证书

[root@ldapsrv02 ~]# scp ldapsrv02.csr [email protected]:/root

The authenticity of host '192.168.49.136 (192.168.49.136)' can't be established.

RSA key fingerprint is f9:ce:14:5d:cd:bb:3c:b4:0d:0b:fc:21:3a:92:43:6b.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.49.136' (RSA) to the list of known hosts.

[email protected]'s password: 

ldapsrv02.csr                                                   100%  777     0.8KB/s   00:00    

2)CA服务器颁发证书

[root@ldapclient CA]# openssl ca -in /root/ldapsrv02.csr -out /root/ldapsrv02.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Sep 18 08:22:46 2016 GMT

            Not After : Sep 18 08:22:46 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Guangdong

            organizationName          = contoso

            organizationalUnitName    = Tech

            commonName                = ldapsrv02.contoso.com

            emailAddress              = [email protected]

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                39:FB:0E:BD:7D:03:7E:F3:9E:C3:BE:5B:4D:45:8B:63:B7:8B:7F:26

            X509v3 Authority Key Identifier: 

                keyid:08:FF:94:52:EC:BD:97:12:5B:96:DD:1E:36:08:43:FF:AD:2F:7B:C8

 

Certificate is to be certified until Sep 18 08:22:46 2017 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

四、openldap server下载并安装证书

1)ldapsrv02下载证书

[root@ldapclient CA]# scp /root/ldapsrv02.crt [email protected]:/root

The authenticity of host '192.168.49.139 (192.168.49.139)' can't be established.

RSA key fingerprint is 88:23:68:20:34:ef:8b:5c:28:ef:c1:d5:ea:ef:4f:55.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.49.139' (RSA) to the list of known hosts.

[email protected]'s password: 

ldapsrv02.crt                                                   100% 3271     3.2KB/s   00:00     

[root@ldapclient CA]# scp CA.crt ldapsrv02:/etc/openldap/certs/

The authenticity of host 'ldapsrv02 (192.168.49.139)' can't be established.

RSA key fingerprint is 88:23:68:20:34:ef:8b:5c:28:ef:c1:d5:ea:ef:4f:55.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'ldapsrv02' (RSA) to the list of known hosts.

root@ldapsrv02's password: 

CA.crt                                                          100% 1078     1.1KB/s   00:00    

2)ldapsrv02安装证书

mv ldapsrv02.crt /etc/openldap/certs/

mv ldapsrv02.key /etc/openldap/certs/

chown -R ldap:ldap /etc/openldap/certs/

vi /etc/openldap/ldap.conf     #编辑ldap.conf文件

[root@ldapsrv02 ~]# tail -3 /etc/openldap/ldap.conf 

URI    ldap://ldapsrv02.contoso.com

BASE   dc=contoso,dc=com

TLS_CACERTDIR /etc/openldap/certs

vi /etc/openldap/slapd.conf

[root@ldapsrv02 ~]# grep TLS /etc/openldap/slapd.conf  #编辑slapd.conf文件,主要是TLS配置

# The next three lines allow use of TLS for encrypting connections using a

TLSCACertificatePath /etc/openldap/certs

TLSCertificateFile /etc/openldap/certs/ldapsrv02.crt

TLSCertificateKeyFile /etc/openldap/certs/ldapsrv02.key

[root@ldapsrv02 ~]# service slapd stop  #关闭slapd服务

Stopping slapd:                                            [  OK  ]

[root@ldapsrv02 ~]# slapd -h "ldap://192.168.49.139/ ldaps://192.168.49.139/"  #重启slapd服务,这里同时监听加密和不加密端口

[root@ldapsrv02 ~]# lsof -i :389    #查看不加密的slapd端口389

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

slapd   1757 root    7u  IPv4  14100      0t0  TCP *:ldap (LISTEN)

slapd   1757 root    8u  IPv6  14101      0t0  TCP *:ldap (LISTEN)

[root@ldapsrv02 ~]# lsof -i :636    #查看加密的slapd端口636

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

slapd   1757 root    9u  IPv4  14104      0t0  TCP *:ldaps (LISTEN)

slapd   1757 root   10u  IPv6  14105      0t0  TCP *:ldaps (LISTEN)

[root@ldapsrv02 ~]# netstat -tunlp|grep slapd  #查看slapd监听的端口

tcp        0      0 0.0.0.0:636                 0.0.0.0:*                   LISTEN      1757/slapd          

tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1757/slapd          

tcp        0      0 :::636                      :::*                        LISTEN      1757/slapd          

tcp        0      0 :::389                      :::*                        LISTEN      1757/slapd

五、ldapclient客户端测试

1)下载CA公钥

cp /etc/pki/CA/private/CA.key  /etc/openldap/certs/

说明:因为我的CA证书中心也同时作为ldap客户端,所以这里只需要拷贝到对应目录即可,如果CA证书中心和ldap客户端不在同一台服务器上,需要使用scp或者rz等其他方式拷贝到ldap客户端上。

2)修改ldap客户端配置

cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.bak$(date +%F)

vi /etc/openldap/ldap.conf

[root@ldapclient CA]# /etc/init.d/nslcd restart

Stopping nslcd:                                            [  OK  ]

Starting nslcd:                                            [  OK  ]

[root@ldapclient CA]# ldapwhoami -v -x -Z

ldap_initialize( )

ldap_start_tls: Can't contact LDAP server (-1)

additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

上述错误的解决方法是:

        编辑/etc/openldap/ldap.conf,添加““TLS_REQCERT allow”,然后重启nslcd服务即可。

vi /etc/openldap/ldap.conf

[root@ldapclient CA]# egrep -v "#|^$" /etc/openldap/ldap.conf

TLS_REQCERT  allow

TLS_CACERTDIR /etc/openldap/certs

BASE dc=contoso,dc=com

URI ldaps://ldapsrv02.contoso.com/

/etc/init.d/nslcd restart

[root@ldapclient CA]# ldapwhoami -v -x -Z

ldap_initialize( )

ldap_start_tls: Operations error (1)

additional info: TLS already started

anonymous

Result: Success (0)

[root@ldapclient CA]# ldapsearch -x -D "cn=admin,dc=contoso,dc=com" -H ldaps://192.168.49.139 -W -b "dc=contoso,dc=com"

Enter LDAP Password: 

# extended LDIF

#

# LDAPv3

# base with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

 

# search result

search: 2

result: 32 No such object

 

# numResponses: 1

#因为ldapsrv02仅仅是安装了openldap,并没有导入数据,所以这里的查询结果是正确的。

  

综上所述:

配置后的文件大致如下:

CA+Client端(192.168.1.22):

   操作

文件

位置

命令

1CA服务器生成私钥

CA.key

/etc/pki/CA/private

[root@ldapclient CA]# (umask 077;openssl genrsa -out private/CA.key)

2CA服务器生成公钥

CA.crt

/etc/pki/CA

[root@ldapclient CA]# openssl req -new -x509 -key private/CA.key >CA.crt

6CA服务器颁发证书

ldapsrv02.crt

/root

[root@ldapclient CA]# openssl ca -in /root/ldapsrv02.csr -out /root/ldapsrv02.crt

7openldap server下载证书

ldapsrv02.crt

 

CA.crt

/root/openldap_server

 

/etc/pki/CA

[root@ldapclient CA]# scp /root/ldapsrv02.crt [email protected]:/root/openldap_server

[root@ldapclient CA]# scp CA.crt 192.168.1.93:/usr/local/etc/openldap/certs/

14、客户端测试,下载公钥

CA.key

/etc/pki/CA

[root@ldapclient CA]# cp CA.crt /usr/local/etc/openldap/certs/

15、修改ldap客户端配置

client

# cp /etc/pki/CA/private/CA.key /usr/local/etc/openldap/certs/

【注意】

因为我的CA证书中心也同时作为ldap客户端,所以这里只需要拷贝到对应目录即可,如果CA证书中心和ldap客户端不在同一台服务器上,需要使用scp或者rz等其他方式拷贝到ldap客户端上

# cd /usr/local/etc/openldap/

# vim ldap.conf   (记得备份)

TLS_REQCERT allow

TLS_CACERTDIR /usr/local/etc/openldap/certs

BASE dc=mirage,dc=com

URI ldaps://192.168.1.93 #可以是URI ldaps://127.0.0.1  

TLS_REQCERT allow 这句需要添加,否则会有ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)的错误出现)

16、开始测试

# ldapsearch -x -LLL -D "cn=AuthUsers,dc=mirage,dc=com" -w asdfgh -H ldaps://192.168.1.93 -b "dc=mirage,dc=com"

(若有ldap_bind: Invalid credentials (49)错误出现,一般情况是查询的命令有误)

 

OpenLDAP Server端(192.168.1.93):

   操作

文件

位置

命令

3openldap server生成私钥

ldapsrv02.key

/root/openldap_server

[root@ldapsrv02 openldap_server~]# openssl genrsa -out ldapsrv02.key

4openldap server生成证书请求文件

ldapsrv02.csr

/root/openldap_server

[root@ldapsrv02 openldap_server~]# openssl req -new -key ldapsrv02.key -out ldapsrv02.csr

5openldap serverCA请求证书

ldapsrv02.csr

 

[root@ldapsrv02 openldap_server~]# scp ldapsrv02.csr root@192.168.1.22:/root

8openldap server安装证书

server端,

# cd /root/openldap_server/

# cp ldapsrv02.crt /usr/local/etc/openldap/certs/

# cp ldapsrv02.key /usr/local/etc/openldap/certs/

# chown -R ldap:ldap /usr/local/etc/openldap/certs/

# vim /usr/local/etc/openldap/ldap.conf   (记得备份)

    TLS_CACERTDIR /usr/local/etc/openldap/certs

BASE dc=mirage,dc=com

URI ldap://127.0.0.1/  #这里可以是192.168.1.93

# vim /usr/local/etc/openldap/slapd.conf    (记得备份)

TLSCACertificatePath  /usr/local/etc/openldap/certs

TLSCertificateFile     /usr/local/etc/openldap/certs/ldapsrv02.crt

TLSCertificateKeyFile   /usr/local/etc/openldap/certs/ldapsrv02.key

TLSCACertificatePath  /usr/local/etc/openldap/certs

注意这里一定是到/cer结束否则执行第10步并加-d 256调试的时候会有错误提示TLS: could not load client CA list (file:`',dir:`/usr/local/etc/openldap/certs/CA.crt').

 

一定要修改库文件

# rm -rf slapd.d/*

# slaptest -f slapd.conf -F slapd.d/

# chown -R ldap:ldap slapd.d/

9、关闭slapd服务(这一步必须执行)

[root@ldapsrv02 ~]# service slapd stop  #不可以可以用kill 命令结束进程

10、重启slapd服务,同时监听加密和不加密端口

[root@ldapsrv02 ~]# slapd -h "ldap://192.168.1.93/ ldaps://192.168.1.93/"

11、查看不加密的slapd端口389

12、查看加密的slapd端口636

13、查看slapd监听的端口

[root@ldapsrv02 ~]# lsof -i :389

[root@ldapsrv02 ~]# lsof -i :636  

[root@ldapsrv02 ~]# netstat -tunlp | grep slapd

 

 

 

在测试TLS传输加密时候可以进行抓包查看

服务器端(192.168.1.93)---  监听:

#tcpdump -i eth0 -w /dev/shm/ldap.pcap | grep -v ssh  

客户端(192.168.1.22)--- 查询:

#ldapsearch -x -LLL -D "cn=AuthUsers,dc=mirage,dc=com" -w asdfgh -H ldaps://192.168.1.93 -b "dc=mirage,dc=com"

 

查看.crt / .pem /.csr文件:

[root@localhost CA]# openssl x509 -noout -text -in CA.crt

ldapsrv02.crt  ldapsrv02.csr  ldapsrv02.key 


测试过程

服务器端188

1、首先查看slapd服务器进程

[root@localhost ~]# ps aux | grep slapd

2、若不存在,执行下面的语句

[root@localhost openldap]# /usr/local/libexec/slapd -h "ldap://192.168.1.188 ldaps://192.168.1.188"

3、再次查看

[root@localhost ~]# ps aux | grep slapd

4、若没有正常启动 执行下面语句

[root@localhost openldap]# /usr/local/libexec/slapd -h "ldap://192.168.1.188 ldaps://192.168.1.188" -d 256

(服务器端188-d 256 是为debug

若提示5b20eb1e daemon: bind(7) failed errno=98 (Address already in use) :说明slapd进行显示)

若提示库TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:821有问题:则说明是slapd.d下面的文件在改完slapd.conf文件后没有更新)

5、服务器端查询目录树条目(ldapsearch会通过/usr/local/etc/openldap/ldap.conf配置文件读取baseaurl值进行查询)

[root@localhost ~]# ldapsearch -x -LLL

若提示ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1):说明ldap.conf中修改URI  ldap://服务器IP地址或者使用域名形式(能被解析即可)  或者是因为 slapd进程没有启动成功)

 

(单查看服务器端是否成功)确认当前的套接字是否能够通过CA认证(说明OpenLDAP服务端使用SSL/TLS加密传输协议)  

服务器端:

[root@localhost certs]# killall slapd

[root@localhost certs]# /usr/local/libexec/slapd -h "ldaps://192.168.1.188"

[root@localhost certs]# openssl s_client -connect 192.168.1.188:636 -showcerts -state -CAfile /usr/local/etc/openldap/certs/CA.crt 

成功显示

    00a0 - 28 86 fa 51 6d 17 4f be-41 0e 7f de c5 27 5e 6a   (..Qm.O.A....'^j

 

    Compression: 1 (zlib compression)

    Start Time: 1528885067

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

 

客户端177

客户端端查询目录树条目

[root@slave1 openldap]# ldapsearch -x -H "ldap://192.168.1.188" -b "dc=mirage,dc=com"

若提示ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1):说明cd /usr/local/etc/openldap/ldap.confTLS_REQCERT allow 这句没有添加 或者是因为 服务器端slapd进程没有启动成功,需要去服务器端查看一下)

 

客户端查看通过CA证书公钥验证OpenLDAP服务端证书的合法性

客户端执行# openssl verify -CAfile /etc/pki/CA/CA.crt /root/ldapsrv02.crt

/root/ldapsrv02.crt: OK

  服务器端执行[root@localhost certs]# openssl verify -CAfile /usr/local/etc/openldap/certs/CA.crt /root/openldap_server/ldapsrv02.crt 

/root/openldap_server/ldapsrv02.crt: OK

参考的链接:https://www.cnblogs.com/lemon-le/p/6266921.html

                    https://m.linuxidc.com/Linux/2017-10/147558.htm&http:/m.linuxidc.com/Linux/2017-10/147558.htm

你可能感兴趣的:(协议,Linux)